IT – ARE YOU COVERING THE BASICS?

My average day usually consists of copious amounts of caffeine, a workout and penetrating into some of the hardest (and easiest) networks in Australia, and around the world.

This year we have a substantial number of security engagements under our belt and already we’re seeing familiarities across all of these engagements in 2017, which is a worry. Some of the issues I commonly find are not direct security issues, they are basic house-keeping issues. CIOs and IT teams, if you want an easy way to reduce your risk profile, please keep your house clean!

Most of the clients that come to us have either never had any sort of security engagement performed, or they have had a basic “intrusion scan”, “security audit” or similar done (usually by a big audit house). In the case of the latter, it is usually because the company has been engaged to provide a service to the government, a bank or another security conscious organisation, and this has been dictated as a security requirement to do business. Unfortunately, these audits usually give the client something like this:

A spat out version of a vulnerability scan with no substance, and no real attack vectors utilised. It doesn’t look at the basics like leveraging default credentials or incorporating perimeter services. This gives companies a degree of comfort, (ignorance is bliss), but an organisation definitively shouldn’t think of themselves as secure because they have had this done.

Vulnerability assessments are important, but they only provide the “may be vulnerable to” issues. Unless the company/tester has actively validated the vulnerabilities using an exploit, or tried to leverage these vulnerabilities to gain further access, they don’t provide a lot of value.

Which leads me back to housekeeping. The audits above generally won’t involve checks around bad practices which can lead to a breach, for example bad passwords or policies, or old firewall rules.

It’s easy to let basic activities fall to the bottom of the list when you have support tickets to deal with, as well as maintenance and strategic IT projects, but ignoring or postponing IT basics can leave gaping holes in your environment.
Ask yourself: what are you doing to ensure you are not breached?

As a starting point, look at your organisation and check these points off:

IT/Operations/SysAdmins/Service Desk

Are your password policies adequate? Are you enforcing a minimum of 10-12 characters, have complexity requirements and not allowing the company name, functions or generic dictionary words?

When was the last time you did a review and clean up of Active Directory (AD) accounts? There is no need to keep accounts from three years ago.

When was the last time you reviewed and cleaned up all domain, enterprise and schema admins?

Do you separate admin access accounts from standard accounts

Have you performed an audit of all accounts set to password never expires?

When did you last change the service account passwords? Can you use Group Managed Service Accounts?

When was the last time you reviewed and cleaned up your firewall rules? And, while you’re at it, when was the last time you did an upgrade to the firmware or software?

Do you use multi-factor authentication (MFA) on your perimeter systems? If not its time you adopt it

Are your lockout policies in line with best practice and do not auto unlock, is your threshold too high?

Have you setup a Haveibeenpwned notification for when accounts are compromised?

Do you reset user passwords to an easily guessed password, e.g Welcome1, Monday1 etc. If so it’s time to stop

Do you have web filtering, email filtering and outbound firewall rule limiting in place?

Would you know if someone was password spraying an account? If not you should implement alerting, it can be as simple as a Powershell script, or you can go more advanced like a HIDS, a service like Sumologic or a SIEM/USM like Alienvault

Is AV/endpoint protection on every machine? When was the last time you tested it to ensure it is sufficient? Can users or admins disable or create exclusions in the product locally?

Do you utilise application whitelisting and trusted locations?

Are you blocking office macro documents?

Are all your perimeter facing services fully patched, everything from operating system, through to applications, services and filtering?

Have you made allocations in your budgets for security expenditure and testing?

Do you have Cyber Insurance in place and is the amount suitable for the cover you need?

Have you planned for decommissioning end-of life operating systems and applications, and planned for upgrades to the latest versions of software and operating systems?

Have you started moving to the cloud?

Do you have an intrusion prevention system (IPS) and sufficient detection and monitoring systems? If not it’s time to implement

Do you have an awareness training program in place, if not why not?

Are you ensuring that your third parties are secure, especially the ones who have access to your system. Are they undertaking penetration testing on their networks?

Do you run your website on a dedicated host, shared hosting or locally? Are you ensuring sufficient protection is applied such as a web application firewall?

Do you utilise a mobile device management (MDM) solution for mobile devices?

Security policies – do you have them and when were they last reviewed?

Do you enforce blocking/limiting of USB?

Do you have a risk management framework in place?

For more ways to help ensure your organisation is secure, please see my annual Security Bulletin here. Most importantly, ensure you are getting a penetration test completed annually. This will test for the all of the above and much much more. I hope this post has given you some food for thought around your systems. If you would like more information on how we can help your organisation stay secure, check out our security solutions.